After performing a search with basic filtering parameters and obtaining a list of events, I know one can click a record's drop-down -> "Show Source" to see the event in the context of its source.
Is there any way to integrate that information into my results, so that I can export each flagged event PLUS ~5 events above/below it from the source log file?
Ultimately I would like to export in a format like this:
SID, Search Result?, _time, _raw
1001, , 4/26/2012 8:55:10 AM, This is the raw text of the event PRECEDING a search hit
1002, X, 4/26/2012 8:55:45 AM, This is the raw text of the event FLAGGED by the search
1003, , 4/26/2012 8:56:30 AM, This is the raw text of the event AFTER a search hit
3456, , 5/10/2012 6:15:47 PM, This is the raw text of the event PRECEDING a search hit
3457, X, 5/10/2012 6:16:02 PM, This is the raw text of the event FLAGGED by the search
3458, , 5/10/2012 6:16:53 pm, This is the raw text of the event AFTER a search hit
My data is relatively simple, with each event on a new line and in a consistent format. I hope what I'm asking is clear.. Please let me know if any elaboration is needed. I appreciate any and all insight!!
What you want seems similar to what is discussed in this q/a: http://splunk-base.splunk.com/answers/2602/can-splunk-filtermatch-events-and-bring-back-neighbouring...
Short answer: unfortunately there is no GOOD way to do it, but you can get pretty close. Refer to the linked q/a above for more details.
What you want seems similar to what is discussed in this q/a: http://splunk-base.splunk.com/answers/2602/can-splunk-filtermatch-events-and-bring-back-neighbouring...
Short answer: unfortunately there is no GOOD way to do it, but you can get pretty close. Refer to the linked q/a above for more details.
Thanks you! I guess I didn't know the right language to use when searching to see if a similar post already existed.. but yes this addresses what I'm asking. Thanks so much for the guidance.